Personal blog. Hobbies: IT, security, privacy, democracy.

UPDATE 2015-10-30: the Dutch government announced it has decided on a bill that revises the invalidated Telecommunications Data Retention Act of 2009. Changes are proposes to take into account recent Dutch and European jurisprudence: access to retained data will now require prior approval from a magistrate (specifically, in Dutch, a “rechter-commissaris”), and only be permitted regarding offenses that allow temporary remand (and thus only regarding offenses that carry a maximum penalty of four or more years imprisonment). The status of the bill can be viewed here (in Dutch). The government will consult the Council of State and then submit the bill to parliament.

On February 16th 2015, the Dutch Data Protection Authority (DPA) published its advice (.pdf, in Dutch; mirror) about a bill that the Dutch government announced in November 2014 to change the Dutch Telecommunications Data Retention Act of 2009 to take into account the ECJ’s April 2014 invalidation of the EU Data Retention Directive (2006/24/EC). More about the announced Dutch bill here. In short: the DPA finds the proposal of the Dutch government to (still) violate necessity, proportionality and subsidiarity. The DPA published the following press release:

The Dutch Data Protection Authority (Dutch DPA) at the request of the minister of Security and Justice has issued its advice on a draft bill containing amendments to the existing data retention obligations for telephony and internet communications data. The Dutch DPA finds the need to retain all telephony and internet data in the Netherlands is insufficiently substantiated. The Dutch DPA therefore recommends that the bill shall not be presented to Parliament.

The draft bill is proposed following a decision from the Court of Justice of the European Union in April 2014, annulling the European data retention directive. The Court ruled that a general retention obligation for telecommunications data is in contradiction with the fundamental right to data protection as laid down in European law.

Content of the draft bill

The draft bill proposes amendments on several points, including:

the introduction of a prior check by an examining judge of requisitions by public prosecutors to obtain historical telecommunications data;

the introduction of a distinction between a retention period of twelve months for telephony data and the consultation period of these data of between six and twelve months, depending on the nature of the crime.

Necessity

The retention of the historical telephony and internet data of virtually all Dutch citizens for 6 to 12 months is a far-reaching measure, requiring an irrefutable demonstration of necessity.

The Dutch DPA notes that the substantiation of this necessity in the draft bill falls short, even though law enforcement authorities have been able to gain experience with using retained telecommunications data in the 4,5 years since the entry into force of the Data Retention Law.

Moreover, the draft bill does not address the question whether less far-reaching alternative measures would be available to obtain the same result.

Disproportionate infringement of private life

The Dutch DPA notes the government holds on to a general data retention obligation. The Dutch DPA therefore concludes the infringement of the private life of virtually all Dutch citizens is too big and disproportionate.

It furthermore finds that 3 other preconditions have not been met that remain important, even if the data retention obligation were to be restricted. These are:

the need to inform people that their data have been accessed after a criminal investigation has been finalised;

transparency on the use of retained data, for example through the release of statistics on the number of times data have been accessed;

the need to introduce exemptions for those bound by a duty of professional confidentiality.

Distinction between collection and use

Finally, the Dutch DPA has assessed the distinction between the retention of data and the subsequent use of these data, as envisaged by the government. This distinction does not alter the disproportionality between the purpose of the data collection and the infringement on the private life of virtually all citizens. Therefore, this general data retention obligation is unlawful.

Notably, in November 2014, the Dutch government provided the following argument to justify upholding the existing indiscriminate data retention:

If the data about these persons [i.e., persons without known links to serious offenses] cannot be retained before the offense is committed, such a search query would not be useful. The retaining of certain data about all citizens is thus necessary, as it is not possible to distinguish suspects and non-suspects in advance.

Considering the large privacy infringement and insufficient safeguards, the DPA rejects this argument. The DPA wraps up its advice as follows:

In conclusion, the DPA finds that the proposed changes of the Telecommunications Data Retention Act of 2009 do not meet the requirements of necessity, proportionality and subsidiarity, and that the bill remains in violation of three specific aspects of proportionality, as laid down in Articles 7 and 8 of the Charter and in Article 8 of the ECHR.

We’ll now have to wait and see the Dutch government’s response to this advice.

Lastly, the DPA wrote the following about openly publishing annual statistics about interception and about requests for traffic data and user data (emphasis is mine):

The DPA has taken notice of initiatives from private parties to publish anonymous and aggregated statistics about interceptions and requests for traffic data and user data. Their objective is to provide transparency about the government use of these invasive powers. The Minister of Security & Justice in has seriously discouraged telecom and internet providers to publish such statistics. The Minister references an earlier statement made by the Secretary of State made, namely “that the provisioning of aggregated information can seriously harm the interest of prosecution. Such information can provide insight into the methods of police and the public prosecution service, and adversaries could change their behavior based on that.

In the annual report of the Ministry of Security & Justice, the Minister includes an overview of the total number of requests for ‘historical data’ by the public prosecution service. This annual total does however not provide insight into requests by intelligence & security services, and moreover, is difficult to interpret, because the number of persons is not specified, nor what periods, nor what types of crime. The Scientific Council for Government Policy (WODC) states: “(…) in the Netherlands requests for telecom data are counted by phone number, IMEI number, IP address or cell tower location that data is requested about. Because people use multiple phones, these numbers do not provide insight into the annual number of persons about whom telecom data is requested, or of the number of criminal investigations, or the nature of these investigations”. In requesting cell tower data requests, more persons are involved, because information is obtained about all mobile conversations that took place on a certain time via a specific tower. Moreover, the statistics also include requests for data that are not part of the Dutch Telecommunications Data Retention Act.

The proposition that persons could change their behavior on the basis of anonymous, aggregated statistics, is not substantiated. The government ignores, without explanation, the WODC’s advice to provide more insight “by counting the requests in a way such that it becomes visible about how many persons telecommunications traffic data is requested annually, in how many investigations, and what type of investigations.” The lack of transparency about this aspect hinders democratic oversight on the (effectiveness of the) use of powers, and also does not provide insight to citizens into the use of this instrument.

Employed as technical security consultant at Secura B.V. (formerly known as Madison Gurkha). Guest researcher at University of Amsterdam. MSc in OS3 System & Network Engineering (2005-2006) and PhD in data anonymity (2007-2011) from University of Amsterdam.

Many posts on this blog are scraps of information, published for posterity and reference. Posts prior to Q2/2012 were submitted while I was employed at the University of Amsterdam.